← Back to Skills Marketplace

USDC Escrow

Name: USDC Escrow
Author: zeroaddresss

by zeroaddresss · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

920

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install usdc-escrow

Description

Trustless USDC escrow for agent-to-agent payments on Base. Create, release, dispute escrows via simple commands.

Usage Guidance

This skill advertises a 'trustless' on‑chain escrow but its scripts call a third‑party API that (per its docs) uses a central server wallet and requires no authentication. That is a major red flag for any money‑handling service: you could be instructing the agent to send payment requests to an external operator who controls the funds. Before installing or using: 1) Ask the author to explain exactly how funds are deposited and authorized (how does the server know the depositor consented?), and whether the service is custodial. 2) Require authenticated API endpoints (API keys, signed requests) or local wallet signing so you control funds. 3) Verify the API host (who runs api.payclawback.xyz), request an audit of the smart contract and backend, and prefer services with verifiable on‑chain non‑custodial flows. 4) If you test, use only small amounts on the specified testnet and inspect actual on‑chain transactions. 5) Consider avoiding this skill until the custodial vs trustless contradiction and the lack of authentication are resolved.

Capability Analysis

Type: OpenClaw Skill Name: usdc-escrow Version: 1.0.0 The skill bundle is designed for trustless USDC escrow management, making API calls to `https://api.payclawback.xyz` via `curl` and parsing responses with `jq`. All shell scripts (`scripts/*.sh`) consistently use these tools to interact with the specified API endpoint, allowing for escrow creation, listing, details, release, dispute, resolution, and claiming. There is no evidence of data exfiltration, malicious execution (e.g., `curl|bash`), persistence mechanisms, obfuscation, or prompt injection attempts against the agent in `SKILL.md` or other documentation. The functionality is clearly aligned with its stated purpose.

Capability Assessment

⚠ Purpose & Capability

The description advertises a 'trustless USDC escrow' on Base, but the API docs state the server wallet 'approves USDC spending and calls the smart contract to lock funds.' That makes the service custodial, not trustless — a direct contradiction. The skill also requires no user credentials, which is inconsistent with a true non‑custodial escrow where the user signs on‑chain transactions.

⚠ Instruction Scope

All runtime scripts make unauthenticated HTTP calls to https://api.payclawback.xyz (or overridden ESCROW_API_URL). The instructions direct financial actions (create, release, resolve, dispute, claim) to an external service without any authentication or local wallet interaction — meaning funds/control depend on that service's behavior. The SKILL.md does not explain how depositor authorization is enforced.

✓ Install Mechanism

No install spec; the skill is instruction/script based and only requires curl and jq. Nothing is downloaded or written during install, so install mechanism risk is low.

⚠ Credentials

The skill requests no credentials or wallet access from the user, yet the API docs indicate a server wallet is used to transact. For a payment/escrow service this is disproportionate and suspicious: either the user must provide a signing key (not requested) or the service is custodial and must be trusted — the skill does not make this clear. Additionally, endpoints are documented as 'Auth: None', which is alarming for fund movement.

✓ Persistence & Privilege

The skill does not request persistent presence (always:false) and does not attempt to modify other skills or agent config. It does not require elevated platform privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install usdc-escrow
After installation, invoke the skill by name or use /usdc-escrow
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release: trustless USDC escrow for A2A payments on Base Sepolia

Metadata

Slug usdc-escrow

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is USDC Escrow?

Trustless USDC escrow for agent-to-agent payments on Base. Create, release, dispute escrows via simple commands. It is an AI Agent Skill for Claude Code / OpenClaw, with 920 downloads so far.

How do I install USDC Escrow?

Run "/install usdc-escrow" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is USDC Escrow free?

Yes, USDC Escrow is completely free (open-source). You can download, install and use it at no cost.

Which platforms does USDC Escrow support?

USDC Escrow is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created USDC Escrow?

It is built and maintained by zeroaddresss (@zeroaddresss); the current version is v1.0.0.

More Skills